Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 11. Configuring polyinstantiated directories

By default, all programs, services, and users use the /tmp, /var/tmp, and home directories for temporary storage. This makes these directories vulnerable to race condition attacks and information leaks based on file names. You can make /tmp/, /var/tmp/, and the home directory instantiated so that they are no longer shared between all users, and each user’s /tmp-inst and /var/tmp/tmp-inst is separately mounted to the /tmp and /var/tmp directory.

Procedure

  1. Enable polyinstantiation in SELinux: 

    # setsebool -P allow_polyinstantiation 1
    Copy to Clipboard Toggle word wrap

    You can verify that polyinstantiation is enabled in SELinux by entering the getsebool allow_polyinstantiation command.

  2. Create the directory structure for data persistence over reboot with the necessary permissions: 

    # mkdir /tmp-inst /var/tmp/tmp-inst --mode 000
    Copy to Clipboard Toggle word wrap

  3. Restore the entire security context including the SELinux user part: 

    # restorecon -Fv /tmp-inst /var/tmp/tmp-inst
Relabeled /tmp-inst from unconfined_u:object_r:default_t:s0 to system_u:object_r:tmp_t:s0
Relabeled /var/tmp/tmp-inst from unconfined_u:object_r:tmp_t:s0 to system_u:object_r:tmp_t:s0
    Copy to Clipboard Toggle word wrap

  4. If your system uses the fapolicyd application control framework, allow fapolicyd to monitor file access events on the underlying file system when they are bind mounted by enabling the allow_filesystem_mark option in the /etc/fapolicyd/fapolicyd.conf configuration file. 

    allow_filesystem_mark = 1
    Copy to Clipboard Toggle word wrap

  5. Enable instantiation of the /tmp, /var/tmp/, and users' home directories:

    Important

    Use /etc/security/namespace.conf instead of a separate file in the /etc/security/namespace.d/ directory because the pam_namespace_helper program does not read additional files in /etc/security/namespace.d.

    1. On a system with multi-level security (MLS), uncomment the last three lines in the /etc/security/namespace.conf file: 

      /tmp     /tmp-inst/   		   level 	 root,adm
/var/tmp /var/tmp/tmp-inst/    level 	 root,adm
$HOME    $HOME/$USER.inst/     level
      Copy to Clipboard Toggle word wrap

    2. On a system without multi-level security (MLS), add the following lines in the /etc/security/namespace.conf file: 

      /tmp     /tmp-inst/            user 	 root,adm
/var/tmp /var/tmp/tmp-inst/    user 	 root,adm
$HOME    $HOME/$USER.inst/     user
      Copy to Clipboard Toggle word wrap

  6. Verify that the pam_namespace.so module is configured for the session: 

    $ grep namespace /etc/pam.d/login
session    required     pam_namespace.so
    Copy to Clipboard Toggle word wrap

  7. Optional: Enable cloud users to access the system with SSH keys:

    1. Install the openssh-keycat package.

    2. Create a file in the /etc/ssh/sshd_config.d/ directory with the following content: 

      AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
AuthorizedKeysCommandRunAs root
      Copy to Clipboard Toggle word wrap

    3. Verify that public key authentication is enabled by checking that the PubkeyAuthentication variable in sshd_config is set to yes. By default, PubkeyAuthentication is set to yes, even though the line in sshd_config is commented out. 

      $ grep -r PubkeyAuthentication /etc/ssh/
/etc/ssh/sshd_config:#PubkeyAuthentication yes
      Copy to Clipboard Toggle word wrap

  8. Add the session required pam_namespace.so unmnt_remnt entry into the module for each service for which polyinstantiation should apply, after the session include system-auth line. For example, in /etc/pam.d/su, /etc/pam.d/sudo, /etc/pam.d/ssh, and /etc/pam.d/sshd: 

    [...]
session        include        system-auth
session        required    pam_namespace.so unmnt_remnt
[...]
    Copy to Clipboard Toggle word wrap

Verification

  1. Log in as a non-root user. Users that were logged in before polyinstantiation was configured must log out and log in before the changes take effect for them.

  2. Check that the /tmp/ directory is mounted under /tmp-inst/: 

    $ findmnt --mountpoint /tmp/
TARGET SOURCE                 	FSTYPE OPTIONS
/tmp   /dev/vda1[/tmp-inst/<user>] xfs	rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
    Copy to Clipboard Toggle word wrap

    The SOURCE output differs based on your environment. * On virtual systems, it shows /dev/vda_<number>_. * On bare-metal systems it shows /dev/sda_<number>_ or /dev/nvme*

Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat